Network Security: Network Flooding

Seungwon Shin, KAIST

Most slides from Dr. Dan Boneh and Darren Anstee

What is a Denial of Service Attack?

Goal take out a large site with little computing work

Network Bandwidth

Computing Power Processor

Memory

How: Amplification Small number of packets ⇒ big effect

Two types of amplification attacks DoS bug:

Design flaw allowing one machine to disrupt a service

DoS flood: Command bot-net to generate flood of requests

What is a Denial of Service Attack

An attempt to consume finite resources, exploit weaknesses in software design or implementation, or exploit lack of infrastructure capacity Effects the availability and utility of computing and network resources Attacks can be distributed for even more significant effect The collateral damage caused by an attack can be as bad, if not worse, than the attack itself

Page 3 - Company Confidential

DDoS Primer

What is a Denial of Service attack? •  An attempt to consume finite resources, exploit weaknesses in

software design or implementation, or exploit lack of infrastructure capacity

•  Effects the availability and utility of computing and network resources

•  Attacks can be distributed for even more significant effect

•  The collateral damage caused by an attack can be as bad, if not worse, than the attack itself

DATA CENTER

IPS

Load Balancer

Application-Layer DDoS Impact

Volumetric DDoS Impact

DoS or DDoS

DoS (Denial of Service) A DoS attack is targeted at a particular node (machine). Attempts to deny service to that node

Source of the attack: Single node: DoS (Denial of Service) attack Multiple nodes: DDoS (Distributed Denial of Service) attack

Which Layer?

Sample Dos at different layers (by order) Link TCP/UDP Application

Sad truth: Current Internet… not designed to handle DDoS attacks

Smurf Attack

Send ping request to broadcast address (ICMP Echo Req) Lots of responses:

Every host on target network generates a ping reply (ICMP Echo Reply) to victim

Smurf amplification DoS attack

gatewayDoSSource

DoSTarget

1 ICMP Echo ReqSrc: Dos TargetDest: brdct addr

3 ICMP Echo ReplyDest: Dos Target

6

Send ping request to broadcast addr (ICMP Echo Req) Lots of responses:

! Every host on target network generates a ping reply (ICMP Echo Reply) to victim

Prevention: reject external packets to broadcast address

DNS Amplification AttackModern day example (May ’06)

DNS QueryEDNS Reponse

DNS Amplification attack: ( ×50 amplification )

7

580,000 open resolvers on Internet (Kaminsky-Shiffman’06)

DNSServer

DoSSource

DoSTarget

DNS QuerySrcIP: Dos Target

(60 bytes)

EDNS Reponse

(3000 bytes)

TCP 3-way HandshakeReview: TCP Handshake

C S

SYN: ListeningSNC←randCANC←0

10

SYN/ACK:

ACK:

Store SNC , SNS

Wait

Established

SNS←randSANS←SNC

SN←SNCAN←SNS

TCP SYN FloodingTCP SYN Flood I: low rate (DoS bug)

C

SYNC1

SYN

S Single machine:

• SYN Packets withrandom source IPaddresses

11

SYNC2

SYNC3

SYNC4

SYNC5

addresses

• Fills up backlog queueon server

• No further connectionspossible

Why is it Vulnerable?

TCP backlog issue Backlog timeout:

3 minutes

Attacker need only send 128 SYN packets every 3 minutes. Low rate SYN flood

SYN Floods (phrack 48, no 13, 1996)

OSBacklog

queue size

Linux 1.2.x 10FreeBSD 2.1.5 128

12

FreeBSD 2.1.5 128WinNT 4.0 6

Backlog timeout: 3 minutes

⇒ Attacker need only send 128 SYN packets every 3 minutes.

⇒ Low rate SYN flood

Windows 2000 server: 80 Advanced Windows server: 400

Increase the backlog (Linux RedHat 7.3) # sysctl -w net.ipv4.tcp_max_syn_backlog="2048"

Backscatter Effect

SYN with forged source IP ⇒ SYN/ACK to random host

SYN floods: backscatter [MVS’01]

SYN with forged source IP ⇒ SYN/ACK to random host

16

TCP SYN Flood Case

MS Blaster worm (2003) Infected machines at noon on Aug 16th:

SYN flood on port 80 to windowsupdate.com

50 SYN packets every second.

each packet is 40 bytes.

Spoofed source IP: a.b.X.Y where X,Y random.

MS solution: new name: windowsupdate.microsoft.com Win update file delivered by Akamai

More Interesting Example: SQL Slammer

Damage history (extract): on Jan. 25, 2003

over 260,000 unique IP addresses infected by the Slammer worm within Internet Security Systems' monitored networks

Propagation of the worm overpowered Internet connections with millions of UDP/IP probes hours after the activity began.

ETH Zurich was not connected to the Internet for about 3 hours. Service for e-mail and web pages were only partially available.

On Feb. 5, 2003 (W)LAN for visitors and vendors at the Internet Expo in Zurich (with 330 vendors present) was not available due to SQL Slammer infections of vendor’s computers.

More Interesting Example: SQL Slammer

How the SQL Slammer DDoS attack works The amplifying network of zombies is built fast by worm spreading based on exploiting a system vulnerability System vulnerability

Exploit Microsoft SQL Servers and MSDE- enabled products vulnerable to the SQL Server resolution service buffer overflow.

Slammer's main function is propagation, sending 376 bytes of code across port 1434/UDP until the SQL Server shuts down

Scanning/infection/attack code is combined

Countermeasures: Patch the vulnerable SQL server installations Filter attack traffic to port 1434/UDP

SQL Slammer

DDoS with Botnet

DRDoS with Botnet

DRDoS Attack Distributed Reflector Denial of Service Reflectors are uncompromised machines. The slave zombies send packets to the reflectors with IP source addresses spoofed as the target

reflectors return packets to the target

The reflectors carry out the flooding rather than the slaves. More distributed than a typical DDoS attack.

DRDoS with Botnet

Application Level Attack

Command bot army to do the following operations make a TCP session send short HTTP HEAD request to a target keep sending

It can evade detection approaches TCP SYN flooding detection

However, attacker should use real IP addresses not spoofed ones reason why an attacker uses bots

DDoS classification

A Taxonomy of DDoS Attack and DDoS Defense Mechanisms Mirkovic et al., ACM CCR 2004

DDoS Attack Mechanisms�

Manual (DA-1)�

Semi-automatic (DA-2)�

Automatic (DA-3)�

Direct (CM-1)�

Indirect (CM-2)�

Random (HSS-1)�

Hitlist (HSS-2)�

Signpost (HSS-3)�

Permutation (HSS-4)�

Local subnet (HSS-5)�

Central (PM-1)�

Back-chaining (PM-2)�

Autonomous (PM-3)�

Semantic (EW-1)�

Brute-force (EW-2)�

Filterable (RAVS-1)�

Non-filterable (RAVS-2)�

Characterizable (PC-1)�

Non-characterizable (PC-2)�

Constant rate (ARD-1)�

Variable rate (ARD-2)�

Increasing (RCM-1)�

Fluctuating (RCM-2)�

Disruptive (IV-1)�

Degrading (IV-2)�

Host (VT-2)�

Application (VT-1)�

Network (VT-4)�

Infrastructure (VT-5)�

Constant set (PAS-1)�

Variable (PAS-2)�

Spoofed (SAV-1)�

Valid (SAV-2)�

Non-routable (AR-2)�

Routable (AR-1)�

Random (ST-1)�

Subnet (ST-2)�

En route (ST-3)�

Classification by�

degree of automation (DA)�

Classification by�host scanning strategy (HSS)�

Classification by�

propagation mechanism (PM)�

Classification by�

communication mechanism (CM)�

Classification by�

attack rate dynamics (ARD)�

Classification by�

rate change mechanism (RCM)�

Classification by�

possibility of characterization (PC)�

Classification by�

relation of attack�to victim services (RAVS)�

Classification by�

source address validity (SAV)�

Classification by�victim type (VT)�

Classification by�

persistence of agent set (PAS)�

Classification by�

impact on the victim (IV)�

Self-recoverable (PDR-1)�

Human-recoverable (PDR-2)�

Classification by�

possibility of�

dynamic recovery (PDR)�

Classification by�

exploited weakness (EW)�

Classification by�

address routability (AR)�

Classification by�spoofing technique (ST)�

Non-recoverable (PDR-3)�Fixed (ST-4)�

Resource (VT-3)�

Horizontal (VSS-1)�

Vertical (VSS-2)�

Coordinated (VSS-3)�

Stealthy (VSS-4)�

Classification by vulnerability�

scanning strategy (VSS)�

Figure 1: Taxonomy of DDoS Attack Mechanisms

we diÆerentiate between attacks that deploy random scan-ning, hitlist scanning, signpost scanning, permutation scan-ning and local subnet scanning, using material presented in[72, 70]. Based on the vulnerability scanning strategy, wediÆerentiate between attacks that deploy horizontal scan-ning, vertical scanning, coordinated scanning and stealthyscanning, using material presented in [75, 69]. Attackersusually combine the scanning and exploit phases and ourdescription of scanning techniques relates to this model.

DA-2 and DA-3:HSS-1: Random ScanningDuring random scanning, each compromised host probesrandom addresses in the IP address space3, using a diÆer-ent seed. Code Red (CRv2) performed random scanning[53]. Random scanning potentially creates a high tra±c vol-ume. Since many scanned addresses are likely to be in diÆer-ent networks, there is a high amount of internetwork tra±c.Also, as infection reaches saturation point (a high percent-age of vulnerable machines are infected), duplicate probesto the same addresses escalate, as there is no synchroniza-tion of scanning attempts from diÆerent infected hosts. Thehigh tra±c volume can lead to attack detection.

DA-2 and DA-3:HSS-2: Hitlist ScanningA machine performing hitlist scanning probes all addressesfrom an externally supplied list. When it detects a vul-nerable machine, it sends a portion of the initial hitlist tothe recipient and keeps the rest. Hitlist scanning allows forgreat propagation speed and no collisions during the scan-ning phase. If an attacker compiled a list of all vulnerable In-

3Some researchers have pointed out that this scanning isonly eÆective in densely populated IPv4 address space, andwould be less successful in a vast, sparsely populated IPv6address space.

ternet machines (flash worm [70]) he could infect entire pop-ulation within 30 seconds. The disadvantage to the attackeris that the hitlist needs to be assembled in advance. Theinformation is collected through some inconspicuous meanssuch as using public information on machines running vul-nerable software (e.g., found at netscan.org) or using slowscans over several months or years. Another disadvantageis that the portion of the hitlist needs to be transmitted tomachines that are being infected. If the list is too large, thistra±c might be of high volume and lead to attack detection;if it is too small, it will generate a small agent population.

DA-2 and DA-3:HSS-3: Signpost ScanningSignpost scanning (also called topological scanning in [72,70]) takes advantage of habitual communication patterns ofthe compromised host to select new targets. E-mail wormsuse signpost scanning, exploiting the information from ad-dress books of compromised machines for their spread. AWeb-server-based worm could spread by infecting each vul-nerable Web browser of clients that click on the server’s Webpage, and then further infecting servers of subsequent Webpages visited by these clients (this worm is called contagionworm in [70]). Signpost scanning does not generate a hightra±c load and thus reduces chances of attack detection.The drawback is that the spreading speed depends on agentmachines and their user behavior, i.e. it is not controllableby the attacker. The recruitment thus may be slower andless complete than with other scanning techniques.

DA-2 and DA-3:HSS-4: Permutation ScanningDuring permutation scanning, all compromised machinesshare a common pseudo-random permutation of the IP ad-dress space; each IP address is mapped to an index in thispermutation. Permutation scanning is preceded by small

ACM SIGCOMM Computer Communications Review Volume 34, Number 2: April 200442

DDoS Defense - next class

Attack Countermeasure Options

Example Description

Network Level Device

Software patches, packet filtering

Ingress and Egress Filtering

Software upgrades can fix known bugs and packet filtering can prevent attacking traffic from entering a network.

OS Level SYN Cookies, drop backlog connections, shorten timeout time

SYN Cookies Shortening the backlog time and dropping backlog connections will free up resources. SYN cookies proactively prevent attacks.

Application Level Attacks

Intrusion Detection System

GuardDog, other vendors.

Software used to detect illicit activity.

Data Flood (Amplification, Oscillation, Simple Flooding)

Replication and Load Balancing

Akami/Digital Island provide content distribution.

Extend the volume of content under attack makes it more complicated and harder for attackers to identify services to attack and accomplish complete attacks.

Protocol Feature Attacks

Extend protocols to support security.

ITEF standard for itrace, DNSSEC

Trace source/destination packets by a means other than the IP address (blocks against IP address spoofing). DNSSEC would provide authorization and authentication on DNS information.

by Dr. Ruby Lee

DDoS Trend

DDoS Trend - CISCO

Manually (hack to servers) Non critical Protocols

(eg ICMP)

Distribution Management # Attackers

(Bandwidth) Type of attack Protection

Spoofed SYN • Enterprise level • Firewall/ • ACL access routers

X0-X00 attackers (X0 Mbps)

─ Email attach ─ Download from questionable site ─ via �chat� ─ ICQ, AIM, IRC ─ Worms

~X00-X,000 Attackers (X00 Mbps)

Via botnets

• ISP/IDC • Blackhole • ACL • DDoS solutions

• All type of applicatios (HTTP, DNS, SMTP) • Spoofed SYN

Manually

Manually ─ Email attach ─ via �chat� ICQ, AIM, IRC…

~X00,000 attackers (X-X0 Gbps)

• Legitimate requests • Infrastructure elements (DNS, SMTP, HTTP…)

• Blackhole (?) • ACL (?) • DDoS solutions • Anycast (?)

DDoS Trend - from Akamai Report (2015)

Summary DDoS attacks, Q4 2015 vs. Q4 2014

148.85% increase in total DDoS attacks 168.82% increase in infrastructure layer

DDoS attacks, Q4 2015 vs. Q3 2015 39.89% increase in total DDoS attacks 42.38% increase in infrastructure layer

Web application attacks, Q4 2015 vs. Q3 2015 28.10% increase in total web application attacks 28.65% increase in web application

12.19% increase in SQL attacks

13 akamai’s [state of the internet] / secur i ty / Q4 2015 / www.stateoftheinternet.com

[SECTION]2 = DDOS ACTIVITY

Percentage

Infra

stru

ctur

e La

yer D

DoS

0 5 10 15 20 25

Other

UDPFragment

UDPFloods

NTP

SYN

SSDP

TCPAnomaly

ICMP

DNS

CHARGEN

ACK 3.36%

9.34%

13.27%

1.38%

3.17%

RIP 1.19%

RESET 1.00%

7.53%

10.40%

14.27%

9.40%

21.01%

1.58%

App

licat

ion

Laye

r DD

oS

PUSH

HTTP POST

HEAD 0.08%

HTTP GET 2.17%

0.35%

0.51%

FIN Floods (0.19%)RP (0.14%)RPC (0.46%)NetBIOS (0.35%)

Sentinel (0.03%)SNMP (0.30%)SYN PUSH (0.03%)XMAS (0.08%)

ApplicationLayer DDoS

3.11%

InfrastructureLayer DDoS

96.89%

DDoS Attack Vector Frequency, Q4 2015

Figure 2-1: Of the 24 DDoS attack vectors tracked this quarter, four — UDP Fragment, NTP, SYN and DNS — made up almost 60% of the attacks

24 akamai’s [state of the internet] / secur i ty / Q4 2015 / www.stateoftheinternet.com

The xor and BillGates malware share similarities with the Spike DDoS toolkit,3 a multi-platform toolkit first profiled by Akamai sirt in 2014. Spike targets both Windows and Linux machines as well as routers and other Internet-enabled devices, for infection. While the xor and BillGates DDoS attacks have originated from Linux hosts, the possibility exists for Windows, embedded devices and routers to join in on the attacks.

2.4 / DDoS Attack Source Countries / The uk was the top source of attack traffic in q3 2015, but in q4 it fell to ninth place, as shown in Figure 2-9. China returned to the number one spot, while Turkey was the second-largest source of attack traffic. Attack traffic from the uk didn’t decrease overall, but traffic increased enough from China, Turkey and the us to affect the relative rankings.

A comparison of top source countries over the past five quarters is shown in Figure 2-10.

It is important to note that source country is based primarily on application traffic that requires a complete connection. Infrastructure traffic, such as udp, is easily spoofed, and therefore is not used in this metric.

24 akamai’s [state of the internet] / secur i ty / Q3 2015 / www.stateoftheinternet.com

[SECTION]2 = DDOS ACTIVITY

Top 10 Source Countries for DDoS Attacks, Q4 2015

Figure 2-9: In Q4 2015, DDoS attacks were most commonly observed coming from China, Turkey and the US

India 3%UK 3%

Spain 3%Taiwan 4%

Indonesia 5%

China28%

Turkey22%

US15%

Korea9%

Mexico8%

[SECTION]2 = DDOS ACTIVITY

Percentage

Figure 2-10: While the US and China have been in the top five every quarter, Q4 2015 marks the first time that Turkey has made the list

0 5 10 15 20 25 4030 35

Top 5 Source Countries for DDoS Attacks, Q4 2014 – Q4 2015

Mexico

Korea

US

Turkey

China

8.37%

8.52%

15.03%

21.99%

27.67%

Q4

2015

Spain

India

US

China

UK

6.87%

6.95%

17.04%

20.70%

25.60%

Q3

2015

Spain

India

UK

US

China

6.03%

7.43%

10.21%

17.88%

37.01%

Q2

2015

Spain

Italy

US

Germany

China

7.29%

8.38%

12.18%

17.39%

23.45%Q

1 20

15

France

Mexico

Germany

China

US

7.64%

11.69%

12.00%

17.60%

31.54%

Q4

2014

25 akamai’s [state of the internet] / secur i ty / Q4 2015 / www.stateoftheinternet.com

26 akamai’s [state of the internet] / secur i ty / Q4 2015 / www.stateoftheinternet.com

2.5 / DDoS Attacks by Industry / The online gaming sector was hit particularly hard in q4 2015, accounting for 54% of all DDoS attacks, as shown in Figure 2-11. Gaming was followed by software and technology, which suffered 23% of all attacks in q4. Financial services (7%), media and entertainment (5%), Internet and telecom (4%), retail and consumer goods (3%), education (3%), and the public sector (1%) rounded out the targeted industries.

Online gaming / Online gaming has remained the most targeted industry since q2 2014. In q4 2014, attacks were fueled by malicious actors seeking to gain media attention or notoriety from peer groups, to damage reputations and to cause disruptions in gaming services. Some of the largest console gaming networks were

[SECTION]2 = DDOS ACTIVITY

Software & Technology

Retail & Consumer Goods

Public Sector

Media & Entertainment

Internet & Telecom

Hotel & Travel

Gaming

Financial Services

Education

Business Services

0 5 10 15 20 25 30 35 50 55 604540

Q4 2015Q3 2015

25.33%23.03%

4.72%4.20%

0.40%0.05%

50.00%54.45%

2.66%2.50%

7.78%6.84%

0.15%0.07%

4.99%4.70%

1.06%1.35%

2.99%2.75%

Percentage

DDoS Attack Frequency by Industry

Figure 2-11: The gaming and software & technology industries were targeted 77% of the time in Q4 2015, up from 75% in Q3 2015

Another trend we’ve started exploring is the number of repeat attacks against the same organization. There were an average of 13 attack events per customer in q4 2014, 17 attack events per customer in q3 2015 and 24 attacks per customer in q4 2015. Where in the past, many attackers would see that a site or network was protected and move on, the latest trend is for attackers to keep hammering away at high-value organizations regardless of effect, looking for a moment when defenses might drop.

2.7 / Reflection DDoS Attacks, Q4 2014 – Q4 2015 / Last quarter, we introduced what is known as a Sankey graphic. Sankey diagrams help to visualize energy, material, or cost transfers between processes.

The Sankey graphic in Figure 2-14 shows how DDoS reflection attacks have trended during the past five quarters. Through the routed network, we tracked nine infrastructure layer DDoS reflection vectors. The most used vectors seem to correlate with the number of Internet devices that use these specific service protocols for legitimate purposes.

[SECTION]2 = DDOS ACTIVITY

Reflection DDoS Attacks, Q4 2014 – Q4 2015

Figure 2-14: SSDP, NTP, DNS and CHARGEN have consistently been used as the most common reflection attack vectors, as can be seen on the left axis, and the use of reflection attacks has increased dramatically since Q4 2014, as shown on the right axis

31 akamai’s [state of the internet] / secur i ty / Q4 2015 / www.stateoftheinternet.com

Top 10 Reflection Sources by ASN, Q4 2015

Figure 4-2: Four of the top ASNs used in reflection attacks were based in Asia, four were based in the Americas and two were based in Europe

35%

23%

8%

7%

6%

5%

5%4%

4% 3%ASN 4837 (CNCGROUP China169 Backbone)

ASN 4134 (CHINANET-BACKBONE)

ASN 12874 (Fastweb SpA)

ASN 17676 (GIGAINFRA Softbank BB Corp.)

ASN 28573 (CLARO S.A.)

ASN 6327 (Shaw Communications Inc.)

ASN 22773 (Cox Communications Inc.)

ASN 20115 (Charter Communications)

ASN 9299 (Philippine Long Distance Telephone Company)ASN 9121 (TTNET Turk Telekomunikasyon Anonim Sirketi)

57 akamai’s [state of the internet] / secur i ty / Q4 2015 / www.stateoftheinternet.com

DDoS Reflector Heat Map, Q4 2015

Figure 4-3: The location of vulnerable devices used in reflection-based attacks during Q4 2015 was concentrated in the US, Asia and Europe

[SECTION]4 = AKAMAI INTELLIGENT™ PLATFORM FIREWALL ACTIVITY

37 akamai’s [state of the internet] / secur i ty / Q4 2015 / www.stateoftheinternet.com

SQLi was the second highest attack vector of the quarter (27%), followed by PHPi with 24%. SQLi is popularly linked in the public eye with database dumps. If an attack is successful, the actor may also gain the ability to modify the database tables or records themselves for their own malicious purposes.

Encrypting connections over https does not necessarily provide any additional protection mechanisms for web applications against the attackers, as they tend to shift to https to follow through on vulnerable applications. The distribution of attack vectors over https is shown in Figure 3-3.

Figure 3-1: Only 11% of the web application attacks observed in Q4 2015 were over encrypted (HTTPS) connections

Web Application Attacks Over HTTP vs. HTTPSHTTP (89%) HTTPS (11%)

LFI 41.05%SQLi 27.00%PHPi 24.32%XSS 4.70%Shellshock 1.28%

RFI 0.82%MFU 0.63%CMDi 0.17%JAVAi 0.02%

Web Application Attack Vectors Over HTTP, Q4 2015

Figure 3-2: The three most popular attack vectors — LFI, SQLi and PHPi — were used in more than 92% of the attacks over HTTP

[SECTION]3 = WEB APPLICATION ATTACK ACTIVITY